[rb-general] [jvm] How to share rebuilder attestations

Eli Schwartz eschwartz at archlinux.org
Wed Jan 9 14:51:33 CET 2019

On 1/9/19 2:52 AM, Hervé Boutemy wrote:
> I see the advantages of this scenario
> but I also see 1 key drawback = the buildinfo has to be reproducible, and in 
> the case of JVM artifacts in public repositories like Maven Central, this 
> could be really problematic since every publisher has his own build platform, 
> with his own JDK patch level and own OS (usually one of Windows/Linux/Mac, to 
> just limit the diversity but I'm sure it's even more diverse)
> I fear that you can do that because of the strict environment control that a 
> Linux distro,  but this cannot be the same  with the public JVM repos
> can you provide me a pointer to an ArchLinux JVM artifact (preferably built 
> with Maven...) that I could try to reproduce myself, please?


This is our maven package -- anything built using maven will be listed
under Required By, which is only 5 packages.


Gradle has another 3.


Ant has a few more -- about 31.

> yes, using external server to download dependencies is a default behaviour, 
> but if someone wants to override to get his own artifact repository instead, 
> you can do it with parameters (at least with Maven, but I suppose every build 
> tool can)

Is this something that could be packaged and then referenced as a
directory path?

> let's dig into the JVM requirement:
> from experience, bytecode produced by major JVM versions is really different 
> (tested with JDK 7, 8, 9, 10 and 11)
> but patch level is not
> since what we record easily is the full JDK version (major version + patch 
> level), we mix strong requirement (major version) with something that is not 
> that important (patch level) and that we would like to accept variation (I 
> already have 5 JDK versions on my computer for 5 major versions, if I need to 
> have strict patch level, I'll finish with hundreds, since once again I want to 
> rebuild every artifact from Maven Central, that has been built by anybody in 
> his own personal environment.

I see the problem, although I wonder, if patchlevel bytecode is stable
then could this be solved by defining a buildinfo that only records the
major version?

Might not be worth the downsides though.

Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190109/382cb424/attachment.sig>

More information about the rb-general mailing list